In an environment where anti-virus providers are openly admitting that their products cannot stop many attacks and in which customers are under more pressure than ever before to keep their sensitive data protected, Fortify is touting a new process dubbed business software assurance that it maintains will change the manner in which organizations defend themselves from external threats.
While many companies are using products like Fortify's software vulnerability scanning tools to block the channels most frequently being used by outside attackers, such processes will soon evolve from sporadic exercises into a continuous routine aimed at staving off any and all applications-level threats, company officials said.
From the time that applications are written until they are up-and-running in production, companies will use a plethora of technologies, from Fortify's static code analysis scanners to black box testing tools and penetration testing systems, to secure their code, officials with the vendor maintain.
In that sense, applications security is maturing from a mere testing market into a larger, more continuous process, said Roger Thornton, chief technology officer at Fortify.
"When people think about applications security today, they think of these various types of tests, but what they are realizing today is that they need to be doing this work in a risk management framework, in a more repeatable manner," Thornton said. "Companies cannot keep addressing this process from the standpoint of looking at individual point products -- they need to approach it from the perspective of business software assurance."
Leery of having the idea pigeonholed as mere vendor marketing, Thornton said that an ecosystem of providers will drive business software assurance, or BSA, including companies whose tools are used by developers as software code is being written, such as its own, through to the so-called black box testing technologies used to test live applications.
Fortify sells a bundle of static code analysis tools and more "dynamic" scanning technologies for use by software quality assurance testers, along with some real-time applications monitoring capabilities for use after programs go live.
With attacks having moved to the applications-level in dramatic fashion over the last several years, and new compliance regulations holding companies more responsible for vulnerabilities in their systems, the need to adopt risk management throughout the development lifecycle is rapidly being brought into focus, Thornton contends.
"If you have the right risk management approach within the development process, you can go a lot further toward making applications impervious toward attacks," he said. "We're in the nascent stages of this whole idea of software assurance, but we believe that this is how customers, developers, and government agencies are going to begin looking at this problem, even as soon as over the next six months."
As part of the BSA process, organizations will require that business partners and even their customers are doing their own due diligence in keeping vulnerabilities out of their applications, according to Fortify's espoused vision.